Author Archives: btm

weird comcast HTTP 301 redirected issues

Someone asked me help on a strange problem recently. HTTP requests to a comcast hosted website sometimes were throwing HTTP 301 redirected messages pointing back at themselves. I did a normal HTTP/1.1 GET and saw the 301, but when I went to the URL with firefox it worked fine.

Trying 216.87.188.20...
Connected to home.comcast.net.
Escape character is '^]'.
GET /~user/image.jpg HTTP/1.1
Host: home.comcast.net

HTTP/1.1 301 Moved Permanently
Date: Tue, 19 Feb 2008 19:25:07 GMT
Server: Apache
Set-Cookie: pwp_mig_status=0; Version=1; Max-Age=900; Path=/
Location: http://home.comcast.net/~user/image.jpg
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

100

Moved Permanently
The document has moved here.


Since I’m an admin and not a web developer I started up wireshark, grabbed it’s http request, then made the same request by hand and got the expected image file instead of the 301 error. I narrowed it down to having to use:

GET /~user/image.jpg HTTP/1.1
Host: home.comcast.net
Cookie: pwp_mig_status=0

I don’t know what the workaround would be. Probably not using comcast because their rat bastards anyways. I’ll note I had trouble testing by hand, probably some annoying security gear was dropping my requests, but I got the right combination eventually.

shmoocon (4) labs (2?)

Besides my photos, there’ll probably be photos from pals like Alex, Andy, Ken and Luiz. Good times were had, I’ve been out drinking to celebrate being home, but a few quick notes.

If you use broadcast/multicast storm protection on cisco switches, make sure the other network gear supports it or make sure you don’t use it on trunk links. ick.

Don’t use any cisco protocols that run over LLDP (CDP, VTP, DTP, etc). Enno and Daniel in their learning of fuzzing found that these protocols generally have crappy implementations. Love live the germans btw.

Bring a router/firewall with wireless preconfigured, otherwise you delay the non-network groups from making progress while you configure the network.

Check last years configuration for monitor ports.

Aruba gear used as a switch is not ideal, like it only supports one span/monitor port.

Monowall sucks for not having a shell.

Pfsense doesn’t support vlan tagging on some soekris gear (5501) and thus sucks.

When you have security vendors doing vulnerability scanning, make sure your firewall has a huge ( > 50,000) state table.

Due to hardware/cabling issues, having multiple dns/dhcp servers is ideal.

A /24 is far too small of an address space for a security conference. Especially if someone configures it to only serve 100 address via DHCP.

Don’t use vlans over 1000, especially on cisco gear. it’s confusing and not necessary. if you do, don’t use 1000-1004 or so, and pay a keen attention to spanning tree (‘show int trunk’ and the likes).

Sometimes gear has to have a vlan configured before it will trunk it (see above command)

using active directory ldap authentication with testlink

Someone requested a testlink install here at work and of course I wanted LDAP authentication (single sign in is good). On debian you’ll need ‘php5 php5-mysql php5-ldap mysql-server’ installed and you will need to restart apache (not reload!) after these are installed. Mostly I’m assuming you got testlink setup and into the database already and you’re just looking for documentation on adding ldap support.

Find the config.inc.php file in the root of your testlink tree and make sure the following settings are set:

$g_login_method = ‘LDAP’;
$g_ldap_server = ‘ad.example.org’;
$g_ldap_port = ‘3268’;
$g_ldap_root_dn = ‘DC=ad,DC=example,DC=org’;
$g_ldap_organization = ”; # e.g. ‘(organizationname=*Traffic)’
$g_ldap_uid_field = ‘sAMAccountName’; # Use ‘sAMAccountName’ for Active Directory
$g_ldap_bind_dn = ‘CN=BindUser,CN=Users,DC=ad,DC=example,DC=org’; // Left empty if you LDAP server allows anonymous binding
$g_ldap_bind_passwd = ‘bindpassword’; // Left empty if you LDAP server allows anonymous binding

Note a few things. set ldap server not to a single servername by to the dns name for the domain, or UPN or whatever you call it. You may notice this points to your domain controllers, allowing ghetto-redundancy. If all of your DC’s are not GC, use “gc._msdcs.example.org” as you’ll see that I’m using port 3268 (the global catalog) rather than 389 (ldap). This is because php5-ldap or libldap2 or even testlink is getting confused when it sees those stupid LDAP referrals you get when you query your basedn is your domain instead of an OU or CN=Users and will fail. Using the GC instead just works. Since this is Active Directory, unless you’ve hacked it to allow anonymous binding you will need a binddn and bindpw, which can be a regular user or you can go find the documentation on creating this more securely if it matters to you.

LDAPMessage searchResDone(2) Unknown result(9) (Referral:
ldap://ForestDnsZones.corp.widemile.com/DC=ForestDnsZones,DC=corp,DC=widemile,DC=com
ldap://DomainDnsZones.corp.widemile.com/DC=DomainDnsZones,DC=corp,DC=widemile,DC=com

You’ll then need to create a user via the new user link on the web interface. Make sure username matches up with your sAMAccountName value, that is, your regular username.

Then go into mysql (mysql -u root -p testlink) and make yourself an admin:

update users set role_id=8 where id=2;

Assuming that you’re the first user you created (admin is id=1) (see the users table and the roles table for more information). Now go back and log into the web interface.

fixing public folder permissions in exchange 2007 sp1

Even with Exchange 2007 SP1, which adds the Public Folder Management Console to the Exchange Management Console (EMC) under toolbox, you’re still being forced to learn the Exchange Management Shell (EMS) for many things.

get-PublicFolderClientPermission -identity “\folder” | fl

Remember | fl is for “format-list” which makes the output readable. What’s neat is you’d expect the pipe to take information that you’d see if you weren’t piping the output, and put it in a different format. The damn option is even called FORMAT-list. Alas, sometimes fl gives you more information than you would have gotten otherwise, so I always use it.

add-publicfolderclientpermission -identity “\folder” -User userorgroup -accessrights owner

There’s a good list of accessrights here.

Also, apparently MS is giving their tech writers drugs now. Read this to de-stress after dealing with these shenanigans. Just remember:

Public folders do not talk. Any conversations between public folders and a real person occurred solely in the mind of the writer. And according to her, that’s the only voice she’s been hearing lately.

promiscuous mode for intel 3945ABG wireless

A Dell D620 laptop with an Intel 3945ABG card on Windows XP doesn’t work in promiscuous mode for applications that use winpcap like wireshark or ethereal out of the box using the Dell drivers. Using the Intel drivers from here despite kind words saying to use the OEM drivers works fine with wireshark. Just unarchive and run the executable and it updates the existing drivers without a reboot, although you will lose your wireless connection for a moment.

enabling root ssh on your nas

I’m liking NAS boxes more and more. I’ve been annoyed at some NAS gear at work, Infrant ReadyNAS gear, that I’ve been unable to set a permission of “force R/W for everyone”, let alone something more complicated. The web interface has under ‘advanced options’ the ability to reset the permissions but it hasn’t always worked the way I expect it to.

Netgear bought Infrant though, and installing the most recent RAIDiator firmware netgear-itizes everything. Coolest feature though? After you install the latest firmware if you install these two files as firmware: ToggleSSH and EnableRootSSH, you can ssh into the thing as root and poke around. Looks like lots of people have schemes for running databases and crap on it, which seems a little gnarly. I’m happy to be able to go in and get a look at the permissions, samba and winbind configs though.

dell 2748 and cisco 6509 link aggregation – 802.3ad or etherchannel, not LACP

Once again cleaning up a pile of switches hanging off each other. I’m starting with taking a Dell Powerconnect 2748 switch and trunking it back to a Cisco Catalyst 6509. Run two network links with the intention of aggregating them. Interestingly this overview page says the 3448 and 2424 support “Link Aggregation with support for up to eight aggregated links per switch and up to eight ports per aggregated link (IEEE 802.3ad); LACP support” but the corresponding box for the 2748 is empty.

Under the tech specs for the 3448:

Link Aggregation with support for up to 8 aggregated links per switch and up to 8 member ports per aggregated link (IEEE 802.3ad)
LACP support (IEEE 802.3ad)

And the tech specs for the 2748 (which I have):

Industry-standard link aggregation adhering to IEEE 802.3ad standards
Supports 6 link aggregation groups and up to 4 ports per group

When configuring the two ports for a channel group:

configure terminal
interface range g7/1 – 2
channel-protocol lacp
channel-group 1 mode active

The ports would come up but I’d see intermittent packet loss on pings.

sw01#show etherchannel 1 detail
Group state = L2
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 16
Protocol: LACP
Ports in the group:
——————-
Port: Gi7/1
————

Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 1 Mode = Passive Gcchange = –
Port-channel = null GC = – Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = LACP

Flags: S – Device is sending Slow LACPDUs F – Device is sending fast LACPDUs.
A – Device is in active mode. P – Device is in passive mode.

Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi7/1 SP indep 32768 0x1 0x1 0x701 0x7C

Age of the port in the current state: 00d:00h:05m:09s

Port: Gi7/2
————

Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 1 Mode = Passive Gcchange = –
Port-channel = null GC = – Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = LACP

Flags: S – Device is sending Slow LACPDUs F – Device is sending fast LACPDUs.
A – Device is in active mode. P – Device is in passive mode.

Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi7/2 SP indep 32768 0x1 0x1 0x702 0x7C

Age of the port in the current state: 00d:00h:05m:09s

Port-channels in the group:
———————-

Port-channel: Po1 (Primary Aggregator)

————

Age of the Port-channel = 00d:00h:52m:26s
Logical slot/port = 14/1 Number of ports = 0
Port state = Port-channel Ag-Not-Inuse
Protocol = LACP

I’ve highlighted the interesting parts. The ports were coming up, but LACP wasn’t. I configured “LAG” on the 2748 by selecting the two corresponding ports on the “LAG Membership” page.

Doubting LACP support, I cleared the channel group configuration (no channel-group 1) and then configured only etherchannel support (channel-group 1 mode on). Now things look good!

sw01#show etherchannel 1 detail
Group state = L2
Ports: 2 Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol: –
Ports in the group:
——————-
Port: Gi7/1
————

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = –
Port-channel = Po1 GC = – Pseudo port-channel = Po1
Port index = 0 Load = 0x55 Protocol = –

Age of the port in the current state: 00d:00h:10m:40s

Port: Gi7/2
————

Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On/FEC Gcchange = –
Port-channel = Po1 GC = – Pseudo port-channel = Po1
Port index = 1 Load = 0xAA Protocol = –

Age of the port in the current state: 00d:00h:10m:40s

Port-channels in the group:
———————-

Port-channel: Po1
————

Age of the Port-channel = 00d:01h:04m:04s
Logical slot/port = 14/1 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = –

Ports in the Port-channel:

Index Load Port EC state No of bits
——+——+——+——————+———–
0 55 Gi7/1 On/FEC 4
1 AA Gi7/2 On/FEC 4

Time since last port bundled: 00d:00h:10m:40s Gi7/2

So 802.3ad == Etherchannel (Cisco) == LAG (Dell). No packet loss now, if you remembered that problem.

I have to figure LACP is the open way to auto-configure ports for 802.3ad or Etherchannel, and is the equivalent to using PAGP on Cisco gear. This is useful if you want your switches to negotiate etherchannel if possible, thus allowing you to add multiple cables and increase bandwidth without heavy reconfiguration. This Cisco page on LACP says:

LACP allows a switch to negotiate an automatic bundle by sending LACP packets to the peer.

As opposed to doing it by hand, which is plain old port aggregation. I wonder if in an older Cisco switch there’s an option for pre-802.3ad etherchannel and 802.3ad compatible eitherchannel. It’s interesting to note that in this switch the ‘switchport trunk encapsulation isl’ command doesn’t work on some cards as they only support 802.1q vlan trunking.

Really have to laugh at this errata though:

System Firmware Version 1.0.0.33

Known Restrictions and Limitations:
The login screen accepts any password with the default
username, admin.

I guess that’s a problem, yeah. It’s cool that this release was a year ago and the problem hasn’t been fixed. This is why we buy Cisco switches and not Dell switches people.

working at widemile and blogging in web 2.0 worlds (post bubble)

A few of you know I work at Widemile now as a Systems Administrator. For non computer people, that means I play with computers. For those who care, I spend some time doing helpdesk trying to keep employees happy, and then secretly make cookies in the server room…. or, well, try to build awesome scalability using lots of different tools. I like startups because there’s no corporate mandate that we use IBM such and such, or that we have to use Oracle or any business oriented requirement. Although at my last startup the thing with Oracle did happen, which was kind of silly, but that’s another story.

So I get to leverage useful and flexible stuff, which usually amounts to open source software, to make everything work like magic. On that note, props to Adam and team at HJK Solutions for iclassify and being generally classy folks. If you’re scaling anything up at a startup, you need these people in your life, I’ll vouch for it.

The tech stuff is only interesting to tech people who are used to facing situations where people want miracles. My father was a commercial pilot and used to always say “We’ve been doing so much, with so little, for so long, that now we can do almost anything with nothing at all.” It’s pretty true, as most people just don’t get their desktop, let alone what goes on in the server room.

One of the things I find cool about widemile is that we have a professional blogger, Billy Shih, working for us. Billy blogs on all things multivariate testing related. I see more and more companies joining and building communities, sometimes in cool ways like Dell Ideastorm. While at times company blogs are well written and come off more corporate than organic, it’s great to see real information and opinions come out of a place that you work for, rather than highly positioned marking pieces that always make me, and I assume most of my peers, immediately glaze over. As an employee I also get a weekly email from him about what the tubes are up to. When I listen to colleagues talk about weekly HR emails about new policies against using off-white paper for clients whose names begin with the letter P, I feel fortunate to be in a place with real culture and humanity.

ssh key generation: rsa or dsa

Who knows? I wanted an educated response but couldn’t get one from any of the security people I know on irc.

Putty used to hate DSA but now just has a warning against DSA. Simon Tatham explains the choices a little further in a comp.security.ssh thread.

[05:37pm|fR> btm: my understanding has been that dsa was used because rsa used to be patented or something

There’s a good thread, even with Grumpy Theo comments here as to the patent (US Patent #4405829). US Patents are good for 17 years so being issued on Sep 20, 1983, means it would have expired about Sep 20, 2000. RSA did this funny press release about putting the patent in the public domain, so very nice of them, on Sep 7, 2000. It’s funny, I remember this being in the news back then… back in the day.

I saw somewhere that DSA was a little bit faster, but it was random group post somewhere that I didn’t care to link to. It was only a LITTLE bit faster, like, 300ms maybe. Whereas DSA keys could possibly suck from poor entropy from having a broken pseudo random number generator, and RSA is no longer patent encumbered, fully supported by ssh2, and has been kicked around by the cryptographic community for quite some time, I’m going to use RSA2 (which I assume is just the SSH2 implication of RSA). I forget right know what sucked about ssh1 rsa, but it sucks, and I’d recommend disabling support for ssh1 in your gear whenever possible.

office live communications server 2007 and public IM connectivity

Office LCS 2007 (Live Communications Server 2007) has a feature that’s referred to as PIC, or Public IM Connectivity. It looks like a feature that was in LCS 2005 as well, perhaps only after a service pack. It’s federation support to connect to MSN, AOL and Yahoo. I’m on Google Talk (jabber) and AOL IM (AIM) daily, so I use Pidgin (formerly GAIM) which is so much cleaner than the other IM clients, supports most IM protocols and supports a really nice tabbed messaging window.

I needed to contact a consultant that uses MSN today, and rather than install MSN Messenger and try to remember my password for it, I figured I’d setup the IM stuff.

Nope.

It’s not that they reverse engineered the protocols or got a license to use the protocols or anything like that, they actually federate right into those companies networks, into the mess of it.

See Microsoft’s article about enabling PIC. Man. At the very least can’t everything support jabber? Vendor lock in for the lose.

550 5.7.1 RESOLVER.RST.AuthRequired; authentication required

Weird Exchange 2007 errors. I had a system that was sending updates via smtp but not working. I whitelisted the IP address of the server on the edge server under anti-spam, like you do, but the hub transport started denying the message with “550 5.7.1 RESOLVER.RST.AuthRequired; authentication required”. It took me a while to notice that I was getting the 5.7.1 error on the Hub Transport role rather than the Edge role, as I’ve grown used to having to log into the Edge role to deal with any anti-spam stuff (5.7.1 means anti-spam).

Turns out on the Hub, EMC, Recipient Configuration, Distribution Group, Properties of the Group, Mail Flow Settings Tab, Message Delivery Restrictions, Properties there is a check box for “Require that all senders are authenticated”.

That is far, far too many levels deep for a new default setting.

http://ticket/Display.html bug in request-tracker

After installing request-tracker3.6 on debian etch via the package, the ‘RT at a glance’ screen has default search named ’10 highest priority tickets I own’ (or ‘[_1] highest priority tickets I own’). The ticket # column links fine but the subject column creates links like: ‘http://ticket/Display.html?id=13’ that lack the hostname. This is due to a bug in initialdata:

/etc/request-tracker3.6/initialdata contains on line 595:

"$RT::WebPath/Ticket/Display.html?id=__id__\">__Subject__

When it should contain:

"$RT::__WebPath__/Ticket/Display.html?id=__id__\">__Subject__

Which is setup when you first create your database. I see a report of fixing it with rt-setup-database that lacks instructions on how to do so.

I finally found instructions here which amounted to:

1) Use mysql (mysql, then ‘use rtdb;’ or whatever the name of your db is) to find the id of the search entry: ‘select id, Name from Attributes WHERE Name = ‘Search – My Tickets’;’
2) Delete this entry: ‘DELETE FROM Attributes WHERE id = x;’ where x is the ID from above
3) Put the following in a file named repair-search:


@Attributes = (
{ Name => 'Search - My Tickets',
Description => '[_1] highest priority tickets I own', # loc
Content =>
{ Format => "'__id__/TITLE:#', '__Subject__/TITLE:Subject', Priority, QueueName, ExtendedStatus",
Query => " Owner = '__CurrentUser__' AND ( Status = 'new' OR Status = 'open')",
OrderBy => 'Priority',
Order => 'DESC' },
},
);

4) run ‘ rt-setup-database –action insert –datafile repair-search –dba rtuser’ where rtuser is the name of your rtuser.

Things just worked after this, no need to restart apache or clear the mason cache or anything.

It was an upstream bug, debian bug here, references in RT #7637, #7657 and #7854.

synergy pseudo-kvm

I’d heard about synergy in the past but never tried it. It lets you share one keyboard and mouse over multiple desktops. Double-coolness because it should work both on windows and linux boxes. I’ve got two XP boxes on my desk, I used to only run one dual-head and run another box for gaming and a server. I finally got around to making them both dual-head tonight on flat panels as I’ve replaced the server with some consumer NAS gear that’s much quiter.

Worst part of synergy was figuring out how to config it. Keep in mind you need a link for both directions, that is, one to go from every computer to every other computer and back. I left the percentages alone. “Screens” are the host names of the computers (having multiple monitors is still one screen), which you can adjust from the defaults if you wish before you hit start under advanced.

Slick as snot though, I can move the mouse across all four monitors (two XP boxes) and use the keyboard on both.

Of course you can’t move windows between the boxes but the clipboard seems to work, which totally solves my problem of having an IM or IRC on a different box than I’m browsing the web on.

ldap auth for request-tracker3.6 on debian etch

The debian request-tracker3.6 package puts things in different places than request tracker expects.

If you haven’t yet run ‘zless /usr/share/doc/request-tracker3.6/NOTES.Debian.gz’ do so now!

At first after following the steps outlined here on the bestpractical rt wiki for the LDAP Overlay I was befuddled by not seeing any LDAP traffic. After taking a look in /var/log/syslog, I noticed an ldap request when I logged into the local root account but not when I tried to log in as an LDAP user and realized that RT doesn’t bother trying to Auth LDAP if the account doesn’t exist locally so you need to use LdapAutocreateAuthCallback but where do you put it on debian etch?

/usr/share/request-tracker3.6/html/Callbacks/LDAP/autohandler/Auth

Auth is the filename, and you may need to create those folders.

logs for a local user:

syslog:Jan 23 09:11:12 hostname RT: Trying LDAP authentication
syslog:Jan 23 09:11:12 hostname RT: RT::User::IsLDAPPassword AUTH FAILED: root (/usr/share/request-tracker3.6/lib/RT/User_Local.pm:184)
syslog:Jan 23 09:11:12 hostname RT: RT::User::IsPassword auth method IsLDAPPassword FAILED

failing logs for an ldap ONLY user:

Jan 23 09:27:12 hostname RT: FAILED LOGIN for btmsldapuser from 10.0.0.60 (/usr/share/request-tracker3.6/html/autohandler:238)

My configs follow:

# RT_SiteConfig.pm
#
# These are the bits you absolutely *must* edit.
#
# To find out how, please read
# /usr/share/doc/request-tracker3.6/NOTES.Debian

# THE BASICS:

Set($rtname, ‘host.domain.com’);
Set($Organization, ‘domain.com’);

Set($CorrespondAddress , ‘rt@domain.com’);
Set($CommentAddress , ‘rt-comment@domain.com’);

Set($Timezone , ‘US/Pacific’); # obviously choose what suits you

# THE DATABASE:

Set($DatabaseType, ‘mysql’); # e.g. Pg or mysql

# These are the settings we used above when creating the RT database,
# you MUST set these to what you chose in the section above.

Set($DatabaseUser , ‘rtuser’);
Set($DatabasePassword , ‘rtpassword’);
Set($DatabaseName , ‘rtdb’);

# THE WEBSERVER:

Set($WebPath , “”);
Set($WebBaseURL , “http://host.domain.com”);

# Authentication

### What auth methods do you like and in what order?

Set($AuthMethods, [‘LDAP’, ‘Internal’]);
#Set($AuthMethods, [‘LDAP’]);
### LDAP Settings
#
# There are two different branches of this: LdapAuth* and LdapInfo*;
# additionally, most of the old Ldap* variables are honored, too.
#
# This means if you only have one LDAP server/config you can just set
# “LdapServer”, “LdapUser”, etc. and they will be used for both
# authentication and information

### Enable/Disable LDAP services
Set($LdapExternalAuth, 1);
Set($LdapExternalInfo, 1);

### Common Settings: affecting both auth and info services

# Should we create accounts for users who aren’t in LDAP?
Set($LdapAutoCreateNonLdapUsers, 1);

# Map RT attributes to LDAP attributes
#
### THE MAPPING BELOW WILL NOT WORK FOR YOU UNLESS YOU CHANGE
### IT TO MATCH YOUR LDAP SCHEMA! See http://wiki.bestpractical.com/view/LdapAttrMap
### to learn how to set this variable properly for either LDAP or Windows
### Active Directory.
Set($LdapAttrMap, {
‘Name’ => ‘sAMAccountName’,
‘EmailAddress’ => ‘mail’,
‘Organization’ => ‘physicalDeliveryOfficeName’,
‘RealName’ => ‘cn’,
‘ExternalContactInfoId’ => ‘dn’,
‘ExternalAuthId’ => ‘sAMAccountName’,
‘Gecos’ => ‘sAMAccountName’,
‘HomePhone’ => ‘homePhone’,
‘WorkPhone’ => ‘telephoneNumber’,
‘MobilePhone’ => ‘mobile’,
‘PagerPhone’ => ‘pager’,
‘Address1’ => ‘streetAddress’,
‘Address2’ => ‘postOfficeBox’,
‘City’ => ‘l’,
‘State’ => ‘st’,
‘Zip’ => ‘postalCode’,
‘Country’ => ‘co’,
‘FreeformContactInfo’ => ‘info’}
);

# A list of RT attrs which can uniquely identify a user,
# ordered from most to least preferred.
Set($LdapRTAttrMatchList, [‘ExternalContactInfoId’, ‘Name’,
‘EmailAddress’, ‘RealName’,
‘WorkPhone’, ‘Address2’]
);

# A list of LDAP attrs to examine when canonicalizing email addresses,
# ordered from most to least preferred
Set($LdapEmailAttrMatchList, [‘mail’, ‘mailRoutingAddress’,
‘mailAlternateAddress’]
);
# A list of prefixes to apply to email address matches.
# Windows 2003 AD uses prefixes or smtp: or SMTP:.
# If not required just leave ”
Set($LdapEmailAttrMatchPrefix, [”, ‘smtp:’, ‘SMTP:’] );

# The basics; if set, these override $RT::LdapAuth* and $RT::LdapInfo*
Set($LdapServer, ‘ldap.domain.com’);
Set($LdapBase, ‘dc=domain,dc=com’);
Set($LdapFilter, ‘(objectclass=*)’);
#Set($LdapFilter, ‘(objectclass=posixAccount)’);
# Windows 2003 Active Directory does not allow anonymous LDAP binding
# thus you must pass Net::LDAP a username and password that has
# access to read the directory.
#
# You may also need to specify the full distinguished name instead of
# just a username for LdapUser below.
# e.g. cn=Username,cn=Users,dc=yourdomain,dc=com
#
Set($LdapUser, ‘binddn’);
Set($LdapPass, ‘bindpassword’);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
Set($LdapDisableFilter, ‘(employmentStatus=Terminated)’);

# If you set these, only members of this group can auth via LDAP
#Set($LdapGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapGroupAttr, ‘uniqueMember’);

# These turn on SSL for LDAP
#Set($LdapTLS, 0);
#Set($LdapSSLVersion, 3);

### IF YOU USE THE SAME LDAP SERVER FOR AUTH AND INFO STOP HERE ###

### Authentication settings

#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapAuthServer, ‘ldap.example.com’);
#Set($LdapAuthBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapAuthFilter, “(objectclass=posixAccount)”);
#Set($LdapAuthUser, ”);
#Set($LdapAuthPass, ”);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapAuthDisableFilter, ‘(employmentStatus=Terminated)’);

# If you set these, only members of this group can auth via LDAP
#Set($LdapAuthGroup, ‘cn=RT,ou=Group,dc=example,dc=com’);
#Set($LdapAuthGroupAttr, ‘uniqueMember’);
# These turn on SSL for LDAP
#Set($LdapAuthTLS, 0);
#Set($LdapAuthSSLVersion, 3);

### Information settings

#
# These are used only if their $RT::Ldap* analogs are not set;
# if you want one of these variables to be honored, you must comment
# out the corresponding $RT::Ldap* variable above

#Set($LdapInfoServer, ‘ldap.example.com’);
#Set($LdapInfoBase, ‘ou=People,dc=example,dc=com’);
#Set($LdapInfoFilter, “(objectclass=posixAccount)”);
#Set($LdapInfoUser, ”);
#Set($LdapInfoPass, ”);

# This filter is used by RT::User::UpdateFromLdap to test whether an
# LDAP user’s RT account should be disabled. Any user whose LDAP record
# passes this filter (returns true) will be disabled at login
# Set($LdapInfoDisableFilter, ‘(employmentStatus=Terminated)’);

# These turn on SSL for LDAP
#Set($LdapInfoTLS, 0);
#Set($LdapInfoSSLVersion, 3);

1;

and my apache2 config:

NameVirtualHost *

ServerName rt.domain.com
ServerAlias rt
ServerAdmin admin@domain.com
AddDefaultCharset UTF-8

PerlModule Apache2::RequestRec Apache2::compat
PerlModule Apache::DBI
PerlRequire /usr/share/request-tracker3.6/libexec/webmux.pl
PerlSetVar MasonArgsMethod CGI

DocumentRoot /usr/share/request-tracker3.6/html
SetHandler perl-script
PerlHandler RT::Mason

RedirectMatch permanent (.*)/$ http://rt.domain.com$1/index.html

ErrorLog /var/log/apache2/rt.error.log
LogLevel warn
CustomLog /var/log/apache2/rt.access.log combined
ServerSignature On

hacking debian repository release file

I’ve posted recently about doing local debian pxe preseed installs and using apt-mirror for multiple architectures. I went back today and had the network install failing because I had removed the release file to get an additional repository working that I had created for locally maintained debs like a vmware-server created with a backport of vmware-package.

There just isn’t good information out there on creating the Release file. You’ll need:

d-i debian-installer/allow_unauthenticated string true

in your preseed file or the installer will fail with an error that doesn’t make sense until you look at the log on vty4 and see it’s not finding the Release.gpg signature. This seemed infinitely easier than trying to get signing working locally and then pushing out the public in the initrd. Since the initrd comes from the same server, elite haxors have already won the chicken or the egg problem anyways, and if they want to try that hard they can and I’ll go get a beer instead.

Originally I took the Release file and removed everything from MD5Sum: down, modified the architecture and components line, but I was getting a “bad d-i packages file” error from the installer. Recreating from the original release file then simply changing these two lines and leaving all of MD5Sum: in worked okay. I didn’t bother looking at the code to see why. This just worked for me and most of the posts on the internet about “bad d-i packages file” referred to bad installs from CDs that were bad burns.